ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From vbrodets...@apache.org
Subject ambari git commit: AMBARI-20453. Minor refactoring and clean up in ambari-server.(vbrodetskyi)
Date Thu, 16 Mar 2017 22:02:48 GMT
Repository: ambari
Updated Branches:
  refs/heads/trunk d28036e12 -> bcd17da52


AMBARI-20453. Minor refactoring and clean up in ambari-server.(vbrodetskyi)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/bcd17da5
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/bcd17da5
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/bcd17da5

Branch: refs/heads/trunk
Commit: bcd17da52ffc3bb6a6db0b97b1d28b96ef12b9e4
Parents: d28036e
Author: Vitaly Brodetskyi <vbrodetskyi@hortonworks.com>
Authored: Thu Mar 16 21:36:25 2017 +0200
Committer: Vitaly Brodetskyi <vbrodetskyi@hortonworks.com>
Committed: Thu Mar 16 21:36:25 2017 +0200

----------------------------------------------------------------------
 ambari-server/src/main/assemblies/server.xml    |   3 +-
 .../server/security/CertificateManager.java     |   4 +
 .../src/main/package/rpm/postinstall.sh         |  18 ++
 .../python/ambari_server/resourceFilesKeeper.py |   4 +-
 .../python/ambari_server/serverConfiguration.py |   1 +
 .../scripts/check_ambari_permissions.py         | 242 +++++++++++++++++++
 6 files changed, 269 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/bcd17da5/ambari-server/src/main/assemblies/server.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/assemblies/server.xml b/ambari-server/src/main/assemblies/server.xml
index cc9ad0f..2783526 100644
--- a/ambari-server/src/main/assemblies/server.xml
+++ b/ambari-server/src/main/assemblies/server.xml
@@ -288,7 +288,7 @@
       <outputDirectory>/var/lib/ambari-server/</outputDirectory>
     </file>
     <file>
-      <fileMode>755</fileMode>
+      <fileMode>700</fileMode>
       <source>conf/unix/ca.config</source>
       <outputDirectory>/var/lib/ambari-server/keys</outputDirectory>
     </file>
@@ -373,6 +373,7 @@
       <outputDirectory>/var/lib/ambari-server/resources</outputDirectory>
     </file>
     <file>
+      <fileMode>644</fileMode>
       <source>src/main/resources/slider_resources/README.txt</source>
       <outputDirectory>/var/lib/ambari-server/resources/apps</outputDirectory>
     </file>

http://git-wip-us.apache.org/repos/asf/ambari/blob/bcd17da5/ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java
b/ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java
index 8d54acb..c9e7c6e 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java
@@ -66,6 +66,8 @@ public class CertificateManager {
       "-keyfile {0}" + File.separator + "{4} -cert {0}" + File.separator + "{5}"; /**
        * Verify that root certificate exists, generate it otherwise.
        */
+  private static final String SET_PERMISSIONS = "find %s -type f -exec chmod 700 {} +";
+
   public void initRootCert() {
     LOG.info("Initialization of root certificate");
     boolean certExists = isCertExists();
@@ -161,6 +163,8 @@ public class CertificateManager {
     command = MessageFormat.format(EXPRT_KSTR,scriptArgs);
     runCommand(command);
 
+    command = String.format(SET_PERMISSIONS,srvrKstrDir);
+    runCommand(command);
   }
 
   /**

http://git-wip-us.apache.org/repos/asf/ambari/blob/bcd17da5/ambari-server/src/main/package/rpm/postinstall.sh
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/package/rpm/postinstall.sh b/ambari-server/src/main/package/rpm/postinstall.sh
index 1e8e0f0..021a514 100644
--- a/ambari-server/src/main/package/rpm/postinstall.sh
+++ b/ambari-server/src/main/package/rpm/postinstall.sh
@@ -17,6 +17,10 @@
 
 INSTALL_HELPER="${RPM_INSTALL_PREFIX}/var/lib/ambari-server/install-helper.sh"
 
+AMBARI_SERVER_KEYS_FOLDER="${ROOT}/var/lib/ambari-server/keys"
+AMBARI_SERVER_KEYS_DB_FOLDER="${ROOT}/var/lib/ambari-server/keys/db"
+AMBARI_SERVER_NEWCERTS_FOLDER="${ROOT}/var/lib/ambari-server/keys/db/newcerts"
+
 case "$1" in
   1) # Action install
     if [ -f "$INSTALL_HELPER" ]; then
@@ -30,4 +34,18 @@ case "$1" in
   ;;
 esac
 
+if [ -d "$AMBARI_SERVER_KEYS_FOLDER" ]
+then
+    chmod 700 "$AMBARI_SERVER_KEYS_FOLDER"
+    if [ -d "$AMBARI_SERVER_KEYS_DB_FOLDER" ]
+    then
+        chmod 700 "$AMBARI_SERVER_KEYS_DB_FOLDER"
+        if [ -d "$AMBARI_SERVER_NEWCERTS_FOLDER" ]
+        then
+            chmod 700 "$AMBARI_SERVER_NEWCERTS_FOLDER"
+
+        fi
+    fi
+fi
+
 exit 0

http://git-wip-us.apache.org/repos/asf/ambari/blob/bcd17da5/ambari-server/src/main/python/ambari_server/resourceFilesKeeper.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/python/ambari_server/resourceFilesKeeper.py b/ambari-server/src/main/python/ambari_server/resourceFilesKeeper.py
index 188f3ff..baf8179 100644
--- a/ambari-server/src/main/python/ambari_server/resourceFilesKeeper.py
+++ b/ambari-server/src/main/python/ambari_server/resourceFilesKeeper.py
@@ -237,7 +237,7 @@ class ResourceFilesKeeper():
     try:
       with open(hash_file, "w") as fh:
         fh.write(new_hash)
-      os.chmod(hash_file, 0o666)
+      os.chmod(hash_file, 0o755)
     except Exception, err:
       raise KeeperException("Can not write to file {0} : {1}".format(hash_file,
                                                                    str(err)))
@@ -267,7 +267,7 @@ class ResourceFilesKeeper():
                                         arcname))
             zf.write(absname, arcname)
       zf.close()
-      os.chmod(zip_file_path, 0o666)
+      os.chmod(zip_file_path, 0o755)
     except Exception, err:
       raise KeeperException("Can not create zip archive of "
                             "directory {0} : {1}".format(directory, str(err)))

http://git-wip-us.apache.org/repos/asf/ambari/blob/bcd17da5/ambari-server/src/main/python/ambari_server/serverConfiguration.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/python/ambari_server/serverConfiguration.py b/ambari-server/src/main/python/ambari_server/serverConfiguration.py
index 2c0ab90..fb016d0 100644
--- a/ambari-server/src/main/python/ambari_server/serverConfiguration.py
+++ b/ambari-server/src/main/python/ambari_server/serverConfiguration.py
@@ -551,6 +551,7 @@ class ServerConfigDefaultsLinux(ServerConfigDefaults):
       (AmbariPath.get("/var/lib/ambari-server/resources/common-services/STORM/0.9.1/package/files/wordCount.jar"),
"644", "{0}", False),
       (AmbariPath.get("/var/lib/ambari-server/resources/stacks/HDP/2.1.GlusterFS/services/STORM/package/files/wordCount.jar"),
"644", "{0}", False),
       (AmbariPath.get("/var/lib/ambari-server/resources/stacks/HDP/2.0.6/hooks/before-START/files/fast-hdfs-resource.jar"),
"644", "{0}", False),
+      (AmbariPath.get("/var/lib/ambari-server/resources/stacks/HDP/2.1/services/SMARTSENSE/package/files/view/smartsense-ambari-view-1.4.0.0.60.jar"),
"644", "{0}", False),
       # Also, /etc/ambari-server/conf/password.dat
       # is generated later at store_password_file
     ]

http://git-wip-us.apache.org/repos/asf/ambari/blob/bcd17da5/ambari-server/src/main/resources/scripts/check_ambari_permissions.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/scripts/check_ambari_permissions.py b/ambari-server/src/main/resources/scripts/check_ambari_permissions.py
new file mode 100644
index 0000000..638f65f
--- /dev/null
+++ b/ambari-server/src/main/resources/scripts/check_ambari_permissions.py
@@ -0,0 +1,242 @@
+#!/usr/bin/env python
+
+'''
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+'''
+
+import os
+import shlex
+import subprocess
+import argparse
+
+JAR_FILE_PERMISSIONS = 644
+DIRECTORY_PERMISSIONS = 755
+FILE_PERMISSIONS = 755
+SECURE_DIRECTORY_PERMISSIONS = 700
+SECURE_FILE_PERMISSIONS = 700
+
+# List of directories with jar files or path to jar file. If "directory", then we will check
all jar files in it and in all subdirectories. If jar "file" then we will check only this
file.
+jar_files_to_check = ["/var/lib/ambari-server/", "/usr/lib/ambari-server/"]
+
+# List of directories. For this list we are only checking permissions for directory.
+directories_to_check = ["/etc/ambari-server/conf", "/usr/lib/ambari-server", "/usr/lib/python2.6/site-packages/ambari_server",
+                        "/var/lib/ambari-server"]
+
+# List of directories/files. If "directory", then we will check all files in it and in all
subdirectories. If "file" then we will check only this file.
+files_to_check = ["/etc/ambari-server/conf/", "/etc/init/ambari-server.conf", "/etc/init.d/ambari-server",
+                  "/usr/lib/ambari-server", "/usr/lib/python2.6/site-packages/ambari_server",
"/usr/sbin/ambari_server_main.py",
+                  "/usr/sbin/ambari-server.py", "/var/lib/ambari-server"]
+
+
+# List of secure directories. For this list we are only checking permissions for directory.
+secure_directories_to_check = ["/var/lib/ambari-server/keys"]
+
+# List of secure directories/files. If "directory", then we will check all files in it and
in all subdirectories. If "file" then we will check only this file.
+secure_files_to_check = ["/var/lib/ambari-server/keys"]
+
+
+
+def main():
+  parser = argparse.ArgumentParser(
+    description='This script search for ambari files with incorrect permissions.',
+    epilog='Only for ambari!'
+  )
+
+  # options
+  parser.add_argument('--ambari-root-dir', type=str, default='/',
+                      action='store', help='Ambari server root directory. By default it is
"/".')
+
+  args = parser.parse_args()
+  do_work(args)
+
+
+def get_YN_input(prompt, default):
+  yes = set(['yes', 'ye', 'y'])
+  no = set(['no', 'n'])
+  return get_choice_string_input(prompt, default, yes, no)
+
+
+def get_choice_string_input(prompt, default, firstChoice, secondChoice):
+  choice = raw_input(prompt).lower()
+  if choice in firstChoice:
+    return True
+  elif choice in secondChoice:
+    return False
+  elif choice is "":  # Just enter pressed
+    return default
+  else:
+    print "input not recognized, please try again: "
+    return get_choice_string_input(prompt, default, firstChoice, secondChoice)
+
+def check_directory_permissions(dir_path, perm):
+  print "Checking directory " + dir_path + ":"
+  directories_with_wrong_permissions = []
+  # check directory permissions
+  directories_with_wrong_permissions = []
+  if os.path.exists(dir_path):
+    (retcode, stdout, stderr) = os_run_os_command("find " + str(dir_path) + " -type d -perm
" + str(perm))
+    if retcode > 0:
+      print "ERROR: failed to check permissions for directory " + str(dir_path) + ": " +
str(stderr) + "\n"
+
+    if stdout and not stdout == "":
+      directories_with_wrong_permissions = directories_with_wrong_permissions + stdout.splitlines()
+  else:
+    print "ERROR: directory " + dir_path + " doesn't exist!\n"
+
+  return directories_with_wrong_permissions
+
+
+def check_files_in_directory_or_file_for_permissions(path, perm):
+  files_with_wrong_permissions = []
+  if os.path.exists(path):
+    if os.path.isdir(path):
+      # check files in directory
+      print "Checking files in directory " + path
+      (retcode, stdout, stderr) = os_run_os_command("find " + str(path) + " -type f -perm
" + str(perm))
+      if retcode > 0:
+        print "ERROR: failed to check permissions for files in " + str(path) + ": " + str(stderr)
+ "\n"
+
+    elif os.path.isfile(path):
+      # check file for permissions
+      print "Checking file " + path + ":"
+      (retcode, stdout, stderr) = os_run_os_command("find " + str(path) + " -type f -perm
" + str(perm))
+      if retcode > 0:
+        print "ERROR: failed to check permissions for directory " + str(path) + ": " + str(stderr)
+ "\n"
+
+    if stdout and not stdout == "":
+      files_with_wrong_permissions = files_with_wrong_permissions + stdout.splitlines()
+  else:
+    print "ERROR: directory/file " + path + " doesn't exist!\n"
+
+  return files_with_wrong_permissions
+
+
+def update_permissions(list_of_paths, permissions, ask_msg):
+  if list_of_paths:
+    fix_permissions = get_YN_input(ask_msg + " [y/n] (y)? ", True)
+    if fix_permissions:
+      for path in list_of_paths:
+        (retcode, stdout, stderr) = os_run_os_command("chmod " + str(permissions) + " " +
str(path))
+        if retcode > 0:
+          print "ERROR: failed to update permissions" + str(permissions) + " for " + str(path)
+ ": " + str(stderr) + "\n"
+
+
+def print_paths_with_wrong_permissions(list_of_paths):
+  for path in list_of_paths:
+    (retcode, stdout, stderr) = os_run_os_command("stat -c \"%A %a %n\" " + str(path))
+    if retcode > 0:
+      print "ERROR: failed to get permissions for path " + str(path) + ": " + str(stderr)
+ "\n"
+    else:
+      print  str(stdout).rstrip("\n")
+
+
+def do_work(args):
+  print "\n*****Check file, or files in directory for valid permissions (without w for group
and other)*****"
+  for path in files_to_check:
+    path = os.path.join(args.ambari_root_dir, path.lstrip('/'))
+    files_with_wrong_permissions = check_files_in_directory_or_file_for_permissions(path,
"/g=w,o=w")
+
+  if files_with_wrong_permissions:
+    print "\nFiles with wrong permissions:"
+    print_paths_with_wrong_permissions(files_with_wrong_permissions)
+    update_permissions(files_with_wrong_permissions, FILE_PERMISSIONS, "Fix permissions for
files to " + str(FILE_PERMISSIONS) + " (recommended) ")
+
+  print "\n*****Check ambari jar file, or files in directory, for valid permissions (without
w+x for group and other)*****"
+  jar_files_with_wrong_permissions = []
+  for jar_path in jar_files_to_check:
+    jar_path = os.path.join(args.ambari_root_dir, jar_path.lstrip('/'))
+    if os.path.exists(jar_path):
+      if os.path.isdir(jar_path):
+        # check files in directory for permissions
+        print "Checking jars in " + str(jar_path)
+        (retcode, stdout, stderr) = os_run_os_command("find " + str(jar_path) + " -type f
-name *.jar -perm /g=w+x,o=w+x")
+        if retcode > 0:
+          print "ERROR: failed to check permissions for jar files in " + str(jar_path) +
": " + str(stderr) + "\n"
+
+      elif os.path.isfile(jar_path):
+        # check file for permissions
+        print "Checking jar " + str(jar_path)
+        (retcode, stdout, stderr) = os_run_os_command("find " + str(jar_path) + " -type f
-perm /g=w+x,o=w+x")
+        if retcode > 0:
+          print "ERROR: failed to check permissions for file " + str(jar_path) + ": " + str(stderr)
+ "\n"
+
+      if stdout and not stdout == "":
+        jar_files_with_wrong_permissions = jar_files_with_wrong_permissions + stdout.splitlines()
+    else:
+      print "ERROR: directory " + jar_path + " doesn't exist!\n"
+
+  if jar_files_with_wrong_permissions:
+    print "\nJar files with wrong permissions:"
+    print_paths_with_wrong_permissions(jar_files_with_wrong_permissions)
+    update_permissions(jar_files_with_wrong_permissions, JAR_FILE_PERMISSIONS, "Fix permissions
for jar files to " + str(JAR_FILE_PERMISSIONS) + " (recommended) ")
+
+
+  print "\n*****Check directories for valid permissions (without w for group and other)*****"
+  for dir_path in directories_to_check:
+    dir_path = os.path.join(args.ambari_root_dir, dir_path.lstrip('/'))
+    directories_with_wrong_permissions = check_directory_permissions(dir_path, "/g=w,o=w")
+
+  if directories_with_wrong_permissions:
+    print "\nDirectories with wrong permissions:"
+    print_paths_with_wrong_permissions(directories_with_wrong_permissions)
+    update_permissions(directories_with_wrong_permissions, DIRECTORY_PERMISSIONS, "Fix permissions
for directories to " + str(DIRECTORY_PERMISSIONS) + " (recommended) ")
+
+  print "\n*****Check secure directories for valid permissions (without r+w+x for group and
other)*****"
+  for dir_path in secure_directories_to_check:
+    dir_path = os.path.join(args.ambari_root_dir, dir_path.lstrip('/'))
+    secure_directories_with_wrong_permissions = check_directory_permissions(dir_path, "/g=r+w+x,o=r+w+x")
+
+  if secure_directories_with_wrong_permissions:
+    print "\nSecure directories with wrong permissions:"
+    print_paths_with_wrong_permissions(secure_directories_with_wrong_permissions)
+    update_permissions(secure_directories_with_wrong_permissions, SECURE_DIRECTORY_PERMISSIONS,
"Fix permissions for secure directories to " + str(SECURE_DIRECTORY_PERMISSIONS) + " (recommended)
")
+
+  print "\n*****Check secure file, or files in directory for valid permissions (without r+w+x
for group and other)*****"
+  for path in secure_files_to_check:
+    path = os.path.join(args.ambari_root_dir, path.lstrip('/'))
+    secure_files_with_wrong_permissions = check_files_in_directory_or_file_for_permissions(path,
"/g=r+w+x,o=r+w+x")
+
+  if secure_files_with_wrong_permissions:
+    print "\nSecure files with wrong permissions:"
+    print_paths_with_wrong_permissions(secure_files_with_wrong_permissions)
+    update_permissions(secure_files_with_wrong_permissions, SECURE_FILE_PERMISSIONS, "Fix
permissions for secure files to " + str(SECURE_FILE_PERMISSIONS) + " (recommended) ")
+
+  print "\nCheck completed."
+
+
+def os_run_os_command(cmd, env=None, shell=False, cwd=None):
+  if type(cmd) == str:
+    cmd = shlex.split(cmd)
+  process = subprocess.Popen(cmd,
+                             stdout=subprocess.PIPE,
+                             stdin=subprocess.PIPE,
+                             stderr=subprocess.PIPE,
+                             env=env,
+                             cwd=cwd,
+                             shell=shell
+  )
+
+  (stdoutdata, stderrdata) = process.communicate()
+  return process.returncode, stdoutdata, stderrdata
+
+
+
+
+
+
+if __name__ == "__main__":
+  main()


Mime
View raw message